Home‎ > ‎SSO Single Sign-On‎ > ‎

Configuring OpenLDAP as an IdP to connect with SimpleSAML

Configuring OpenLDAP as an IdP to connect with SimpleSAML
This guide was written using Debian based ( e.g. Ubuntu ) operating system. In other distributions just change the "apt-get" to their respective package manager tool. This example use a public LDAP server that you can use in order to test.

Change the example domain idp-ldap.federation.ga to your domain.

Prerequisites:
  • Apache 2
  • PHP 5
  • SimpleSAML >= 1.12
  • LDAP Server
Instructions:
      • Open the config/authsources.php uncomment the   'example-ldap' example (delete the /* before and the */ after) and change the values to your LDAP server values:
        • nano config/authsources.php
                    // Example of a LDAP authentication source.
                    'example-ldap' => array(
                        'ldap:LDAP',

                    // Give the user an option to save their username for future login attempts
                    // And when enabled, what should the default be, to save the username or not
                    'remember.username.enabled' => FALSE,
                    'remember.username.checked' => FALSE,

                    // The hostname of the LDAP server.
                    'hostname' => 'idp-ldap.federation.ga',

                    // Whether SSL/TLS should be used when contacting the LDAP server.
                    'enable_tls' => FALSE,

                    // Whether debug output from the LDAP library should be enabled.
                    // Default is FALSE.
                    'debug' => TRUE,

                    // The timeout for accessing the LDAP server, in seconds.
                    // The default is 0, which means no timeout.
                    'timeout' => 0,

                    // Set whether to follow referrals. AD Controllers may require FALSE to function.
                    'referrals' => FALSE,

                    // Which attributes should be retrieved from the LDAP server.
                    // This can be an array of attribute names, or NULL, in which case
                    // all attributes are fetched.
                    'attributes' => NULL,

                    // The pattern which should be used to create the users DN given the username.
                    // %username% in this pattern will be replaced with the users username.
                    //
                    // This option is not used if the search.enable option is set to TRUE.
                    'dnpattern' => 'uid=%username%,dc=idp-ldap,dc=federation,dc=ga',

                    // As an alternative to specifying a pattern for the users DN, it is possible to
                    // search for the username in a set of attributes. This is enabled by this option.
                    'search.enable' => TRUE,

                    // The DN which will be used as a base for the search.
                    // This can be a single string, in which case only that DN is searched, or an
                    // array of strings, in which case they will be searched in the order given.
                    'search.base' => 'dc=idp-ldap,dc=federation,dc=ga',

                    // The attribute(s) the username should match against.
                    //
                    // This is an array with one or more attribute names. Any of the attributes in
                    // the array may match the value the username.
                    'search.attributes' => array('uid', 'mail'),

                    // The username & password the simpleSAMLphp should bind to before searching. If
                    // this is left as NULL, no bind will be performed before searching.
                    'search.username' => 'cn=admin,dc=idp,dc=federation,dc=ga',
                    'search.password' => 'egdpassword',

                    // If the directory uses privilege separation,
                    // the authenticated user may not be able to retrieve
                    // all required attribures, a privileged entity is required
                    // to get them. This is enabled with this option.
                    'priv.read' => TRUE,

                    // The DN & password the simpleSAMLphp should bind to before
                    // retrieving attributes. These options are required if
                    // 'priv.read' is set to TRUE.
                    'priv.username' => 'cn=admin,dc=idp,dc=federation,dc=ga',
                    'priv.password' => 'egdpassword',


                    // If the directory uses privilege separation,
                    // the authenticated user may not be able to retrieve
                    // all required attribures, a privileged entity is required
                    // to get them. This is enabled with this option.
                    'priv.read' => TRUE,

                    // The DN & password the simpleSAMLphp should bind to before
                    // retrieving attributes. These options are required if
                    // 'priv.read' is set to TRUE.
                    'priv.username' => 'cn=admin,dc=idp,dc=federation,dc=ga',
                    'priv.password' => 'egdpassword',

                   ),

    • Edit the /var/www/metadata/saml20-idp-hosted.php and change the following line:
      • $ nano metadata/saml20-idp-hosted.php
      •  'auth' => 'example-ldap',
    • Edit the /var/www/metadata/saml20-sp-remote.php and change the domian name
      • $ nano metadata/saml20-sp-remote.php
                $metadata['google.com'] = array(
                        'AssertionConsumerService' => 'https://www.google.com/a/appsedudemo.com/acs',
                        'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
                        'simplesaml.nameidattribute' => 'uid',
                        'simplesaml.attributes' => FALSE,
                );

    • Open Google Apps admin panel and change the SSO parameters on Security > Advanced Options > SSO
      • Sign-in page URLhttp://idp-ldap.federation.ga/simplesaml/saml2/idp/SSOService.php
      • Sign-out page URLhttp://idp-ldap.federation.ga/simplesaml/saml2/idp/initSLO.php?RelayState=/simplesaml/logout.php
      • Change password URLhttp://idp-ldap.federation.ga
      • Upload the generated 
      • server.crt file generated on the previous steps.
    Comments